Main menu

GetTor: New Ways to Download Tor Browser

We are pleased to announce the new features available in the GetTor, a service that provides alternative ways to download Tor Browser, aimed for people who live in places with high levels of censorship (e.g. when www.torproject.org is blocked) or people who just don't want to expose the fact that they are downloading Tor Browser. This work adds important new download options and capabilities and includes improvements to the current code, deployment of new channels and providers, and some brand new features such as the GetTor API. We would also like to give special thanks to Nima Fatemi, who was in charge of the non-coding parts of this project (from funding to technical management).

Update note: we now have the gettor@torproject.org account for the XMPP channel. However, we will have the get_tor@riseup.net account enabled for a couple of more weeks just in case you are still using it.

Landing page

A GetTor landing page has been created to offer information in one place (statistics, guides, etc.). If you are interested in what is going on with GetTor, following the landing page is highly recommended.

New Distribution Channels

In the past, GetTor has distributed packages by sending the bundles -- and then, later, just links -- via email. Now there are two more ways to interact with GetTor:

Using Twitter: You can send a direct message to @get_tor account (you don't need to follow the @get_tor acount). Send the word help in a direct message to receive information on how to download the Tor Browser.

Using XMPP: You can send a message to gettor@torproject.org using your favorite XMPP client. Simply enter help in an XMPP message to receive information on how to download the Tor Browser.

GitHub

GitHub is now a provider of Tor Browser (in addition to Dropbox and Google Drive), and the latest version of Tor Browser may be downloaded from our Github page and our Github repository.

Support for Android

Orbot is a free proxy (i.e. an intermediary) app that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by sending it through a series of computers around the world. In addition to the download options provided by Guardian Project (Google Play, F-Droid, Direct download), GetTor provides yet another way to download Orbot to your mobile device. To do this, you have to reach one of our distribution channels and specify the android command (See Examples, at the bottom of this blog post). You will then receive instructions to download Orbot's Android Application Package (APK) file from Github, Google Drive or Dropbox. Once you have downloaded the APK file you can use it to install Orbot (similar to .exe files in Windows) and start using it.

Translated Versions of Tor Browser

GetTor provides a small set of translated packages focused on its end users. The available languages are Farsi, Chinese, Turkish, and English (which is the default). If you want to use this feature in the email autoresponder, for example, you send your request to:

For the Twitter and XMPP channels, you just need to add the language word to the
message (e.g. linux fa will get you links for Tor Browser in Farsi).

Mirrors

There are many volunteers who use their own servers to provide mirrors of Tor Project's website. One or more of these mirrors may be not blocked in places where torproject.org is censored and could help in downloading Tor Browser. With this new release, you can request a list of these mirrors from GetTor by sending an email (or message, in case of Twitter and XMPP) with the word mirrors in the body of the text.

Statistics

Some basic but effective improvements have been made to collect anonymous data and compile meaningful statistics about GetTor usage, including requests per channel, operating system, and language. Safeguards have been implemented so that all information collected is anonymous, and it is erased on a daily basis -- we just keep the number and types of requests. Reports about this data will soon be available on GetTor's website.

RESTful API

One of GetTor's major new features is its API. In simple terms, an API is a set of rules and specifications that allow applications to communicate with each other (following these rules). This is helpful to developers who want to create new services or applications based on the information provided by the API. In this case, the GetTor API provides the following information:

Links to download Tor Browser by provider, with filters for operating system and language.

Links to download Tor Browser from Tor Project's website, with filters for choosing the release (latest version , etc.), operating system, and language.

Invitation to Collaborate

If you are a Tor user, a developer, good at writing content for non-technical users or anything else, we are happy to hear from you! You can use the comments section below, the tor-talk and tor-dev mailing lists, or come talk to us on IRC (#tor-dev on OFTC; our nicknames are ilv, sukhe and mrphs).

How to Ask for Tor Browser--Some Examples

To help you get started, here are a few examples of GetTor requests with different locales (languages) and operating systems:

Example 1 (Email): To get links for downloading Tor Browser in Farsi for Windows, send an email to gettor+fa@torproject.org with the word windows in the body of the message.

Example 2 (Twitter): To get links for downloading Tor Browser in English for OS X, send a Direct Message to @get_tor with the words osx on it (you don't need to follow the account).

Example 3 (XMPP): To get links for downloading Tor Browser in Chinese for Linux, send a message to gettor@torproject.org account with the words linux zh on it.

Example 4 (Email): To get links for downloading Orbot for Android, send an email to gettor@torproject.org with the word android in the body of the message.

GetTor provides for alternative ways to download Tor Browser in case the existing ones don't work for you. But to answer your question, no, we are not removing any (existing) options like downloading Tor Browser from the website or mirrors.

For simplicity, when you ask for links for Linux you will receive links to download Tor Browser for both 32 & 64 bit (the message sent by GetTor specifies which links are for 32 bit and which links are for 64 bit). You can then choose to download the version you need.

While using latest edition of Tails, when requesting a new identity in Tor Browser, I sometimes see warning message "Tails cannot safely give you a new identity: does not own Tor control socket?" That sounds bad.

Ever thought of getting an EV certificate for the main torproject.org domains so we can confirm the identity of the main site with a green bar in the browser? They are available to 501(c)(3)'s; the ASPCA has one.

It's something moderately interesting, but nothing new (the Firefox security model is crap, and is being reworked with e10s, the move to Web Extensions among other things), wrapped in sensationalist clickbait garbage that is par for the course for modern "tech journalism".

If users install malicious addons, then the current Firefox extension model means that the code in other addons can be leveraged. But the user first has to install extra malicious addons, at which point they've lost anyway.

Unfortunately, the e10 sandbox does not work with noscript, even though it works with most other addons. You're completely right though. The Firefox security model is absolutely horrific. I don't want to scare many users here, but I will say that Firefox has some of the most terrifying code I have ever seen in my life. Have you even *seen* their experimental seccomp policy? Has anyone in the world fuzzed imlib? I mean, Chrome is orders of magnitude more secure, and even IE is harder to hack now days (for the average hacker, not the privileged law enforcement agency with access to possible backdoors). I'm going to stop myself now before I go on a 2 hour rant about Firefox security...

Friend they recommend I get Tor... so I download and install... now it requires attention or refuses access on almost every site I visit... now I uninstall and say bye, bye to Tor... now my web surfing is back to being smooth and fast :)

That could work, but our main focus is making alternatives that are easy-to-use for people who is not very familiar with computers, and the method you describe sounds a little bit complicated for that case. This might be useful for technical users, but only if torproject.org is not blocked, which is our initial assumption for GetTor (unless we use other domain for doing it, in that case, which one?).

> More than a million people a month now use popular anonymity software to browse Facebook without outsiders being able to determine their location or other details about their computer.
>
> Communicating through a connection secured by Tor allows users to hide the location of their device as well as information that could help to identify them. Many use it to get around internet censors in other countries or to keep their information from being obtained by organizations engaged in surveillance.
>
> Facebook announced in 2014 that it had created a version of its website meant to run properly on a Tor-secured connection. Previously, the website would appear broken to some users browsing on Tor.
>
> Facebook engineer Alec Muffett said in a post that in June of last year, roughly 525,000 were accessing Facebook through Tor in a given 30-day period. Now, that number is more than one million, he said.

EFF has said it will organize its members to oppose the Burr-Feinstein mandating encryption backdoors, which would outlaw steganography and file compression as well as cryptography. Will Tor Project get involved too? Since Tor cannot function without cryptography, it seems TP has a dog in this fight.

> A federal judge in Massachusetts ruled Wednesday in favor of a man accused of accessing child pornography through Tor, finding that the warrant issued by a Virginia-based judge was invalid. The evidence of child pornography the government claims it found on the man's computers is suppressed, which likely makes continuing prosecution of this case significantly more difficult.
>
> That warrant, which was issued in early 2015, allowed federal investigators to use a "network investigative technique" (NIT), government-speak for a piece of malware typically used to penetrate the digital security of Tor users.

A few years ago some of us tried to warn Tor Project about the implications of DOJ's efforts to change Rule 41 (which governs certain aspects of how police can gather evidence about criminal suspects). Notice this plays a role in the case:

> When the FBI hacked over 1,000 computers to ensnare consumers of child pornography early last year, its actions were illegal, a federal judge ruled Wednesday.
> ...
> Judge William Young of the U.S. District Court in Boston ruled that the FBI’s search of Playpen visitor Alex Levin’s computer — located in Massachusetts — was unlawful because the magistrate judge who issued the warrant was in Virginia. According to Rule 41 of federal criminal procedure, magistrate judges can’t authorize a warrant outside their geographical jurisdiction.
>
> The Department of Justice is seeking to change that rule, but it hasn’t happened yet. “The government knew they had problems with Rule 41, and they didn’t wait for those changes to be approved. They went ahead with a mass hack,” Chris Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept.
>
> Government lawyers two years ago began the multi-stage process of changing the rule to allow judges to grant warrants for remote searches of computers located outside their district or when the location is unknown. Despite angry protests from civil liberties advocates and technologists including the ACLU and Google, who described it as a power grab by the FBI to be able to conduct mass hacks with impunity, the rule change was approved by several judiciary panels, and is widely expected to be approved by the Supreme Court any day now. Congress has six months to modify or reject it, or else it will take effect.
>
> “This is a serious, complicated issue that Congress needs to consider quickly, to ensure our laws are keeping up with technology,” Sen. Ron Wyden, D-Ore., said in a statement emailed to The Intercept. “The solution is not to allow an obscure bureaucratic process to vastly expand the government’s surveillance powers. This requires serious public debate, to guarantee there are strong safeguards and oversight when it comes to government hacking.”
>
> Just this week, members of Congress first started asking substantive questions of the FBI about “lawful hacking” and the dynamics of getting around encryption by exploiting devices rather than trying to ban unbreakable encryption altogether.
>
> The government’s takeover of the child-porn site also risks becoming a greater source of controversy. Soghoian said the government’s decision to keeping the site running, rather than shut it down immediately, allowed hundreds of thousand of people to share and distribute new hurtful images while the FBI only caught a small percentage with its malware.
>
> In his ruling, Judge Young compared the practice to the FBI selling drugs — not just pretending to — in order to catch drug dealers. “The judge clearly is not happy about the government operating a child-porn site,” said Soghoian.

Some of us have worried for years about traffic shaping attacks on Tor, and recently evidence emerged which suggests that an adversary may be mounting a large scale traffic shaping attack (on hidden services, but we also worry about ordinary web browsing via Tor Browser). Mike Perry commented:

> Based on what you have reported, the second stage traffic shaping could
be due to some kind of in-line traffic shaping device, though it could
also still be due to targeted denial of service attacks against specific
nodes in the network.

Can you explain how "in-line traffic shaping devices" might work in attacks on Tor Browser?

Hi,
while agreeing that this four languages cover an important part of vulnerable users and it is really great that tor is available in three other languages than its original English, it is an important step to make Tor available in more languages. Translation seems not to be a priority here, but it makes a huge difference for users to use this important tool in their own language even for those who an understand English. So, there is already a whole effort going on on Transifex communities, but even for languages that have already 100% or content translated, no version of Tor is released in those languages. I just would like to remember here that translation IS an important issue to address in the Tor community and it deserves more attention and care.
I greet you all!!!

Sometimes I wonder if random posts to things like this are just for the purpose of discrediting Tor. I mean this comment isn't even relevant to the thread. This thread is about letting people in oppressed countries download Tor when it is blocked, and you post a clickbait link about a Firefox vulnerability, the same one that so many people use to try to convince people that Tor itself is somehow flawed?

Since 2015 I experienced blocks on different websites, when I used tor browser system. My winsystem hangs for about 30 seconds to 1 minute or more. At first time I felt attacked. Just now I tested a new AntiVirus software, which blocked the automatted update of tor system. I will download the new tor version manually, and will share my experience in this blog.

I am very interested in the OS statistics of the users. I have been monitoring the gettor website for some time now but the only thing I find is the message: We will publish statistics soon. Any idea when the statistics will be available?